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Abstract 

Techniques  were  developed  that  make  it  possible  to  use  remote  servers  without  having 
to  reveal  to  them  either  (i)  the  confidential  inputs  and  outputs  of  computations;  or  (in  the 
case  of  information  storage  and  retrieval)  the  confidential  data  and  queries  thereupon.  The 
techniques  also  make  cheating  by  the  remote  untrusted  servers  detectable;  here  cheating  means 
“not  carrying  out  the  expected  computational  and  storage  duties”.  Significant  progress  was  also 
made  in  the  direction  of  hiding  from  the  remote  servers  the  access  patterns  to  the  encrypted 
data  that  they  store,  a  potentially  important  consideration  in  situations  where  it  is  not  enough 
to  hide  the  data  (e.g.,  when  the  access  patterns  reveal  too  much  about  the  nature  of  how  the 
data  is  being  used). 

The  contributions  of  the  work  can  be  categorized  as  either  (i)  being  the  first  to  achieve 
the  confidentiality-preserving  outsourcing  for  the  computational  and  data  structuring  problems 
considered;  or  (ii)  achieving  significantly  better  performance  than  the  previously  published 
schemes  for  the  problems  considered.  The  progress  in  this  area  brings  closer  the  day  when 
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remote  cloud  servers  can  be  used  for  the  most  confidential  tasks,  without  worry  about  confi¬ 
dentiality  being  compromised  by  security  breaches  occurring  at  the  cloud  service  providers. 


Summary  of  Technical  Results  Achieved 

The  major  results  obtained  are  now  briefly  summarized,  categorized  according  to  the  main  theme 
of  each.  In  what  follows,  we  use  secure  outsourcing  to  refer  to  the  use  of  remote  servers  that  are 
not  cleared  to  view  any  confidential  data  and  computations,  so  that  the  client  avails  itself  of  their 
computational  and  storage  without  revealing  anything  to  them  about  either  the  confidential  inputs 
or  outputs  they  helped  compute. 

Sequence  comparisons 

Protocols  were  given  for  securely  outsourcing  the  most  important  of  all  distance  metrics  between 
two  sequences:  The  edit  distance,  which,  given  two  sequences  x  and  y  of  respective  lengths  n  and 
m,  is  the  cost  of  a  minimum-cost  sequence  of  insertions,  deletions,  and  substitutions  that  transform 
x  into  y.  This  computation  is  expensive,  and  securely  outsourcing  it  is  a  significant  achievement. 
The  previous  method  of  achieving  this  was  far  less  efficient,  both  from  a  theoretical  point  of  view 
and  because  it  used  homomorphic  encryption.  By  utilizing  garbled  circuit  evaluation  techniques  in 
a  novel  way,  the  new  method  avoids  the  use  of  public-key  cryptography  and  uses  only  symmetric 
encryption.  The  advantages  of  the  new  scheme  over  the  previous  best  known  protocols  for  for  this 
problem  are  summarized  below. 

•  The  client  does  only  0(m+n )  work  and  communication,  as  opposed  to  the  previous  0(mn). 

•  The  round  complexity  has  been  reduced  to  1,  as  opposed  to  the  previous  0(mn). 

•  The  space  used  at  the  servers  has  been  reduced  to  0(m  +  n),  as  opposed  to  the  previous 

0(mn). 

•  The  cryptography  used  in  the  new  scheme  is  only  of  the  symmetric  kind,  whereas  the  previ¬ 
ous  used  homomorphic  encryption  and  oblivious  transfer. 

Biometrics 

The  first  protocols  for  securely  outsourcing  biometric  comparisons  and  searching  were  designed 
(for  iris  identification).  The  protocols  were  validated  experimentally  on  a  database  of  iris  codes. 
This  is  important  because,  unlike  passwords,  biometrics  cannot  be  modified  if  they  are  leaked  to 
an  adversary  in  digital  form. 

Information  storage  and  retrieval 

Novel  techniques  were  designed  for  storing,  at  a  remote  server,  an  encrypted  database  such  that 
confidentiality-preserving  remote  query  processing  by  weak  clients  is  supported  even  for  com¬ 
plex  queries.  Techniques  for  hiding  the  query  access  patterns  were  also  designed  (hiding  which 
encrypted  data  items  are  the  target  of  the  various  queries).  Significantly,  the  approach  uses  only 
inexpensive  (symmetric)  encryption. 
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Finite  Automata 


Protocols  were  given  for  the  problem  of  secure  outsourcing  of  error-resilient  DNA  searching  via 
oblivious  evaluation  of  finite  automata,  where  a  client  has  a  DNA  sequence,  and  a  service  provider 
has  a  pattern  that  corresponds  to  a  genetic  test.  Error-resilient  searching  is  achieved  by  representing 
the  pattern  as  a  nite  automaton  and  evaluating  it  on  the  DNA  sequence  (which  is  treated  as  the 
input),  where  confidentiality  of  both  the  pattern  and  the  DNA  sequence  must  be  preserved.  The 
techniques  are  applicable  to  any  type  of  finite  automata  (e.g.,  signature-based  intrusion  detection 
automata),  but  the  optimizations  were  tailored  to  the  setting  of  DNA  searching. 

Linear-algebra  computations 

Protocols  were  designed  for  a  client  to  securely  outsource  expensive  algebraic  computations  (like 
the  multiplication  of  large  matrices)  to  a  remote  server,  such  that  the  server  learns  nothing  about 
the  client’s  input  or  the  result  of  the  computation,  and  any  attempted  corruption  of  the  answer 
by  the  server  is  detected  with  high  probability.  The  computational  work  performed  at  the  client 
was  linear  in  the  size  of  its  input  (which  is  unavoidable)  and  did  not  require  the  client  to  locally 
carry  out  any  expensive  encryptions  of  such  input.  The  computational  burden  on  the  server  was 
proportional  to  the  time  complexity  of  the  best  practically  used  algorithms  for  solving  the  algebraic 
problem  (e.g.,  cubic  time  for  multiplying  two  matrices).  The  improvements  given  include  the 
option  of  using  a  single  server,  avoiding  the  use  of  any  expensive  cryptographic  primitives  (no 
homomorphic  encryption),  resilience  to  collusion  between  the  remote  servers  (hence  the  ability  to 
detect  any  attempt  by  the  servers  at  collusive  and  coordinated  corruption  of  the  answer). 

Algebraic  computations  over  closed  semi-rings 

The  above  algebraic  outsourcing  techniques  were  significantly  extended  to  no  longer  hinge  on  the 
existence  of  additive  and  multiplicative  inverses  for  the  familiar  matrix  multiplication  over  the  (+,*) 
ring  -  they  work  when  one  (or  both)  of  these  inverses  do  not  exist,  as  happens  for  many  practically 
important  algebraic  structures  (including  closed  semi-rings)  when  one  or  both  of  the  two  opera¬ 
tions  in  the  matrix  multiplication  is  the  ”min”  or  ’’max”  operation.  Such  matrix  multiplications 
are  very  common  in  optimization.  The  protocols  designed  were  for  the  cases  of  (+,min)  multipli¬ 
cation,  (min, max)  multiplication,  and  of  (min,+)  multiplication;  the  last  two  cases  are  particularly 
important  primitives  in  many  combinatorial  optimization  problems. 

Pattern  matching  in  the  Hamming  distance  with  thresholds 

An  efficient  solution  was  given  to  a  significant  generalization  of  the  classic  pattern  matching  prob¬ 
lem,  motivated  by  the  situation  where  the  entries  in  the  text  and  pattern  are  analog,  or  distorted  by 
additive  noise,  or  imprecisely  given  for  some  other  reason:  In  any  alignment  of  the  pattern  with 
the  text,  two  aligned  symbols  contribute  1  to  the  similarity  score  if  they  differ  by  no  more  than  a 
given  threshold,  otherwise  they  contribute  zero  (the  classic  Hamming  distance  matching  problem 
is  the  special  case  of  zero  threshold). 
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Storage  of  a  total  order  relationship 

Protocols  were  designed  for  storage  outsourcing  where  is  a  total  order  on  n  items  that  are  stored 
with  a  remote  server  called  the  dealer,  and  a  user  query  consists  of  a  pair  of  items  whose  relative 
ordering  should  be  revealed  along  with  a  proof  that  the  result  is  correct.  The  proof  is  generated 
using  the  dealer’s  local  data  (i.e.,  without  bothering  the  data  owner).  The  main  difficulty  was 
achieving  efficient  storage  and  query-processing  while  achieving  the  desiderata  that  (i)  the  user 
should  learn  nothing  other  than  the  answer  to  their  query,  and  (ii)  that  a  misbehaving  dealer  should 
not  be  able  to  convince  a  user  of  a  wrong  ordering.  The  scheme  was  generalized  to  partial  orders 
that  can  be  decomposed  into  a  number  of  total  orders,  in  which  case  a  user  either  learns  the  ordering 
of  the  two  queried  items,  or  learns  that  they  are  incomparable. 
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